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Hardware-Firewalls sind spezielle Rechner, die zwischen das interne Netzwerk eines Unternehmens Oder 
eines Internet-Providers und das Internet geschaltet werden. Sie sollen Hacker-Angriffe, Denial-of-Service- 
Attacken und Spam abhalten - und gleichzeitig die Mitarbeiter des Unternehmens, die sich uber eine VPN- 
Verbindung (Virtual Private Network) ins Unternehmensnetz einloggen, durchlassen. Die NSA-Abteilung AN 
hat laut den Dokumenten Hardware- und Software- Implantate fur die Hardware-Firewalls aller groBen 
Hersteller entwickelt: Cisco, Juniper und Huawei. Auf diese Weise werden die eigentlich als digitaler 
Schutzwall gedachten Computer dieser Hersteller offenbar zu Einfallstoren fur die NSA-Hacker gemacht. Di 
meisten der ANT-Implantate fur Firewalls sollen sich im Bios verstecken, also der untersten Software- Ebem 
des jeweiligen Gerats. Das stellt sicher, dass sie sogar dann weiterarbeiten und andere Spahsoftware 
nachladen konnen, wenn der Rechner neu gestartet Oder sogar ein neues Betriebssystem aufgespielt wird. 

Cisco PIX-Serie, Cisco ASA-Serie 

Die Produkte der PIX-Reihe des US-Herstellers Cisco waren Hardware-Firewalls fur, je nach Modell, kleine 
und mittlere Unternehmen Oder aber groBe Unternehmen und Service-Provider. Die Herstellung dieser 
Modellreihe wurde 2008 eingestellt. Nachfolger sind die Produkte der ASA-Serie, die fur Unternehmen 
unterschiedlicher GroBe und fur Rechenzentren konzipiert sind. 

JETPLOW: Laut dieses NSA-Dokuments ein Software- Implantat fur Cisco PIX- und ASA-Firewalls, das 
dauerhafte Hinterturen installiert. 

Huawei Eudemon Serie 

Die Hardware-Firewalls der Eudemon-Serie des chinesischen Herstellers Huawei sind sowohl fur kleine unc 
mittlere Unternehmen (200er-Serie) wie fur Service-Provider und groBe Unternehmen (lOOOer-Serie) 
konzipiert. Das chinesische Unternehmen Huawei gehort mittlerweile zu den weltgroBten Herstellern von 
Netzwerkausrustung. Im zweiten Quartal 2013 lag Huawei dem Marktforschungsunternehmen Infonetics 
zufolge auf Platz 2, was den Umsatz mit Routern und Switches fur Mobilfunk- und Internet-Provider angeht 
hinter Cisco und vor Juniper. Huawei-Technik wird beispielsweise auch bei 02, Vodafone und der Deutsche 
Telekom eingesetzt. 

HALLUXWATER ist offenbar eine Hintertur (Backdoor) fur Huawei Eudemon Firewalls in Form eines Softwe 
Implantats, das im Boot-Rom verborgen wird. 

Juniper Netscreen / ISG 1000 

Die groBeren Modelle der Netscreen-Serie des Herstellers Juniper und die Firewalls der ISG-Serie sind 
Herstellerangaben zufolge sowohl fur den Einsatz bei Internet-Service-Providern als auch bei 
Mobilfunkanbietern geeignet. 

FEEDTROUGH ist ein Software- Implantat, das Fremdzugriffe auf die Juniper Firewall Modelle N5XT, NS25 
NS50, NS200, NS500, ISG1000 ermoglichen soli. 

Juniper SSG, Netscreen G5, Netscreen 25 und 50, SSG-Serie 

Die Juniper-SSG-Modelle sind Hardware-Firewalls fur kleine und mittlere Unternehmen sowie fur den Einsa 
in Zweigstellen groBerer Unternehmen. 

GOURMETTROUGH: Ein konfigurierbares Implantat fur eine Reihe von Juniper Firewalls, wie das NSA- 
Dokument zeigt. 

SOUFFLETROUGH ist ein im Bios verborgenes Implantat fur Juniper SSG300- und SSG500-Gerate, das ei 
permanente Hintertur (PBD) herstellen soil. 
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JETPLOW 

ANT Product Data 



(TS//SI//REL) JETPLOW is a firmware persistence implant for Cisco PIX Series and 
ASA (Adaptive Security Appliance) firewalls. It persists DNT’s BANANAGLEE 
software implant. JETPLOW also has a persistent back-door capability. 
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(TS//SI//REL) JETPLOW Persistence Implant Concept of Operations 



I 



(TS//SI//REL) JETPLOW is a firmware persistence implant for Cisco PIX Series and 
ASA (Adaptive Security Appliance) firewalls. It persists DNT’s BANANAGLEE 
software implant and modifies the Cisco firewall’s operating system (OS) at boot 
time. If BANANAGLEE support is not available for the booting operating system, it 
can install a Persistent Backdoor (PBD) designed to work with BANANAGLEE’s 
communications structure, so that full access can be reacquired at a later time. 
JETPLOW works on Cisco’s 500-series PIX firewalls, as well as most ASA firewalls 
(5505, 5510, 5520, 5540, 5550). 



(TS//SI//REL) A typical JETPLOW deployment on a target firewall with an exfiltration 
path to the Remote Operations Center (ROC) is shown above. JETPLOW is 
remotely upgradeable and is also remotely installable provided BANANAGLEE is 
already on the firewall of interest. 



Status: (C//REL) Released. Has been widely deployed. Current unit Cost: $0 
availability restricted based on OS version (inquire for details). 

POC: S32222, nsa.ic.gov 
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Derived From: NSA/CSSM 1-52 
Dated: 20070108 
Declassify On: 20320108 




TOP SECRET//COMINT//REL TO USA, FVEY 




HALLUXWATER 

ANT Product Data 



(TS//SI//REL) The HALLUXWATER Persistence Back Door implant is installed on a 
target Huawei Eudemon firewall as a boot ROM upgrade. When the target reboots, 
the PBD installer software will find the needed patch points and install the back door 
in the inbound packet processing routine. 



06 / 24/08 




Command, Control, and Data Exfiltration using 
DNT Implant Communications Protocol (typical) 
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(TS//SI/(REL) HALLUXWATER Persistence Implant Concept of Operations 
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(TS//SI//REL) Once installed, HALLUXWATER communicates with an NSA operator 
via the TURBOPANDA Insertion Tool (PIT), giving the operator covert access to 
read and write memory, execute an address, or execute a packet. 



(TS//SI//REL) HALLUXWATER provides a persistence capability on the Eudemon 
200, 500, and 1000 series firewalls. The HALLUXWATER back door survives OS 
upgrades and automatic bootROM upgrades. 



Status: (U//FOUO) On the shelf, and has been deployed. 
POC: S32222. 



Derived From: NSA/CSSM 1-52 
Dated: 20070108 
Declassify On: 20320108 
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FEEDTROUGH 

ANT Product Data 



(TS//SI//REL) FEEDTROUGH is a persistence technique for two software implants, 
BANANAGLEE and CES's ZESTYLEAK used against Juniper Netscreen firewalls. 




DNT’s 
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(S//SI//REL) Persistence Operational Scenario 



(TS//SI//REL) FEEDTROUGH can be used to persist two implants, ZESTYLEAK and/or 
BANANAGLEE across reboots and software upgrades on known and covered OS’s for the 
following Netscreen firewalls, ns5xt, ns25, ns50, ns200, ns500 and ISG 1000. There is no 
direct communication to or from FEEDTROUGH, but if present, the BANANAGLEE implant 
can receive and transmit covert channel comms, and for certain platforms, BANANAGLEE 
can also update FEEDTROUGH. FEEDTROUGH however can only persist OS's included 
in it's databases. Therefore this is best employed with known OS’s and if a new OS comes 
out, then the customer would need to add this OS to the FEEDTROUGH database for that 
particular firewall. 



(TS//SI//REL) FEEDTROUGH operates every time the particular Juniper firewall boots. The 
first hook takes it to the code which checks to see if the OS is in the database, if it is, then a 
chain of events ensures the installation of either one or both implants. Otherwise the firewall 
boots normally. If the OS is one modified by DNT, it is not recognized, which gives the 
customer freedom to field new software. 



Status: (S//SI//REL) FEEDTROUGH has on the shelf solutions for all of the listed platforms. 
It has been deployed on many target platforms 



POC: 



S32222, 



)nsa.ic.qov 



Derived From: NSA/CSSM 1-52 
Dated: 20070108 
Declassify On: 20320108 
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GOURMETTROUGH 

ANT Product Data 



(TS//SI//REL) GOURMETTROUGH is a user configurable persistence implant for 
certain Juniper firewalls. It persists DNT’s BANANAGLEE implant across reboots 
and OS upgrades. For some platforms, it supports a minimal implant with 
beaconing for OS's unsupported by BA NANAGLEE. 
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(TS//SI//REL) GOURMETTROUGH Persistence Implant Concept of Operations 
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(TS//SI//REL)For supported platforms, DNT may configure BANANAGLEE without 
ANT involvement. Except for limited platforms, they may also configure PBD for 
minimal implant in the case where an OS unsupported by BANANAGLEE is booted. 
Status: GOURMETTROUGH is on the shelf and has been deployed on many 
target platforms. It supports nsg5t, ns50, ns25, isglOOO(limited). Soon- ssgl40, 
ssg5, ssg20 



Unit Cost: $0 



POC: 



S32222, 



ta)nsa.ic.aov 



Derived From: NSA/CSSM 1-52 
Dated: 20070X08 
Declassify On: 20320108 
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SOUFFLETROUGH 

ANT Product Data 



(TS//SI//REL) SOUFFLETROUGH is a BIOS persistence implant for Juniper SSG 
500 and SSG 300 series firewalls. It persists DNT's BANANAGLEE software 
implant. SOUFFLETROUGH also has an advanced persistent back-door capability. 
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(TS//SI//REL) SOUFFLETROUGH Persistence Implant Concept of Operations 

(TS//SI//REL) SOUFFLETROUGH is a BIOS persistence implant for Juniper SSG 
500 and SSG 300 series firewalls {320M, 350M, 520, 550, 520M, 550M}. It persists 
DNT's BANANAGLEE software implant and modifies the Juniper firewall’s operating 
system (ScreenOS) at boot time. If BANANAGLEE support is not available for the 
booting operating system, it can install a Persistent Backdoor (PBD) designed to 
work with BANANAGLEE’s communications structure, so that full access can be 
reacquired at a later time. It takes advantage of Intel's System Management Mode 
for enhanced reliability and covertness. The PBD is also able to beacon home, and 
is fully configurable. 

(TS//SI//REL) A typical SOUFFLETROUGH deployment on a target firewall with an 
exfiltration path to the Remote Operations Center (ROC) is shown above. 
SOUFFLETROUGH is remotely upgradeable and is also remotely installable 
provided BANANAGLEE is already on the firewall of interest. 



Status: (C//REL) Released. Has been deployed. There are no 
availability restrictions preventing ongoing deployments. 
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POC: 



S32222, 



la)nsa. ic.gov 



Unit Cost: $0 



Derived From: NSA/CSSM 1-52 
Dated: 20070108 
Declassify On: 20320108 
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